General MoBlock thread

[jre]

i guess on installation you accepted to whitelist outging TCP conections on port 80 and 443 (http and https services). Just edit /etc/blockcocntrol/blockcocntrol.conf and remove this whitelisting. See also https://help.ubuntu.com/community/MoBlock

[skipper38]

Hi jre thanks for your response, I'm not quite sure what you mean about editing the /etc/blockcontrol/blockcontrol conf ?? Heres my log dunno if this helps....sorry for being vague but I'm still getting my head around linux, but i am loving it

p, li { white-space: pre-wrap; } Current IPv4 iptables rules (this may take a while):
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 blockcontrol_in all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW mark match !0x14
1866 1855K ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
1866 1855K ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 blockcontrol_fw all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW mark match !0x14
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2 packets, 80 bytes)
pkts bytes target prot opt in out source destination
182 11348 blockcontrol_out all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW mark match !0x14
1754 281K ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
1754 281K ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
268 18758 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
268 18758 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
268 18758 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
268 18758 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain blockcontrol_fw (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xa
0 0 RETURN all -- * * 0.0.0.0/0 192.168.2.1
0 0 RETURN all -- * * 192.168.2.0/24 192.168.2.0/24
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 92
Chain blockcontrol_in (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xa
0 0 RETURN all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 192.168.2.0/24 0.0.0.0/0
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 92
Chain blockcontrol_out (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xa reject-with icmp-port-unreachable
0 0 RETURN all -- * lo 0.0.0.0/0 0.0.0.0/0
123 7808 RETURN all -- * * 0.0.0.0/0 192.168.2.1
0 0 RETURN all -- * * 0.0.0.0/0 192.168.2.0/24
15 900 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
44 2640 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 92
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK] '
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK] '
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
6 300 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1851 1852K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
9 2637 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 224.0.0.0/4 0.0.0.0/0
9 2637 ACCEPT all -- * * 0.0.0.0/0 224.0.0.0/4
0 0 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
6 300 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
1480 262K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
268 18758 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW ALLOW] '
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix `[UFW BLOCK] '
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
9 2637 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
72 4320 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
194 14358 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix `[UFW LIMIT BLOCK] '
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
Please check if the above printed iptables rules are correct!
* moblock is running
PID: 2045 CMD: /usr/bin/moblock -p /var/lib/blockcontrol/guarding.p2p -q 92 -t -r 10 -a 20 /var/log/moblock.log
* blockcontrol.wd is running
PID: 2050 CMD: /bin/sh /usr/bin/blockcontrol.wd

[jre]

Just have a look here: https://help.ubuntu.com/community/Mo...rtain%20ports?
There it is described how to whitelist the ports I were talking about. Now I suggest you do just the opposite of that: change the entry to WHITE_TCP_OUT=""
Afterwards do a "sudo blockcontrol restart" in the console.

Please have a look at my signature about the CODE tags for quoting.

[jre]

In detail this means:
type in console

Code:

gksu gedit /etc/blockcontrol/blockcontrol.conf

An editor will open ... there you add this line to the file:

Code:

WHITE_TCP_OUT=""

Save the file and quit the editor.
Then type in console

Code:

sudo blockcontrol restart

And you're done.

[skipper38]

In detail this means:
type in console

Code:

gksu gedit /etc/blockcontrol/blockcontrol.conf

An editor will open ... there you add this line to the file:

Code:

WHITE_TCP_OUT=""

Save the file and quit the editor.
Then type in console

Code:

sudo blockcontrol restart

And you're done.

Ok jre I did what you said and now I can't access internet at all.....done a couple of searches and it looks like I have to whitelist my ip range ? is this correct as you seem to be able to explain all this very well for us noobs....cheers

[jre]

Been away and busy ...

What do you mean with "can't access internet at all". Can't you surf to any webpages with your webbrowser, or do all internet services (e.g. email client, chat client, weather applet), not work.

I guess it is the first problem. This is because the default blocklist setup is quite paranoid and blocks one third of the internet. You then have the following solutions:

• choose less blocklists
• or whitelist http again
• or allow all IPs of webpages that you want to visit
• or stop moblock, whenever you want to surf the internet

If it is the latter problem then please post the output of "blockcontrol show_config" and /var/log/moblock.log

[ewan86]

How do I install in Maverick?

[jre]

For Maverick I have only made "pgl" packages yet.
Moblock, .. packages will follow this or next week.

[jre]

I just made new moblock/blockcontrol/mobloquer packages, also for Ubuntu Maverick (10.10). They are built now and will be available soon.

At the same time I dropped support for Ubuntu Jaunty (9.04)

[radarman]

Hello,

Was having issues with the latest Moblock installation, wondering if anyone could help.

I'm trying to setup moblock the old way, no packet marking, just accept packet or drop/reject it. I'm trying to use moblock's nfqueue with iptables. I've had no success yet, but here is what I have so far.

My /etc/blockcontrol/blockcontrol.conf looks like this:

Code:

IPTABLES_SETTINGS="0"
NFQUEUE_NUMBER="0"
REJECT="0"
ACCEPT="0"

My iptables script looks like this:

Code:

# Flush all chains
iptables --flush

# Loopback Interface, Bridge
iptables --append INPUT --in-interface lo --jump ACCEPT
iptables --append INPUT --in-interface br0 --jump ACCEPT

# DNS
iptables --append INPUT --protocol tcp --sport 53 --match state --state ESTABLISHED --jump ACCEPT

iptables --append INPUT --protocol udp --sport 53 --match state --state ESTABLISHED --jump ACCEPT

# SSH
iptables --append INPUT --protocol tcp --dport 22

# ICMP Incoming
iptables --append INPUT --protocol icmp --match state --state ESTABLISHED --jump ACCEPT

# Default action is DROP
iptables --append INPUT --jump DROP


# Loopback Interface, Bridge
iptables --append OUTPUT --out-interface lo --jump ACCEPT
iptables --append OUTPUT --out-interface br0 --jump ACCEPT

# DNS
iptables --append OUTPUT --protocol tcp --dport 53 --match state --state NEW,ESTABLISHED --jump ACCEPT

iptables --append OUTPUT --protocol udp --dport 53 --match state --state NEW,ESTABLISHED --jump ACCEPT

# ICMP Outgoing
iptables --append OUTPUT --protocol icmp --jump ACCEPT

# Default action is moblock
iptables --append OUTPUT --jump NFQUEUE

So as you can see, any outgoing traffic that does not match a rule should be going to moblock's NFQUEUE. Unfortunately nothing seems to happen to that, and moblock's log shows no signs of activity. When I do 'blockcontrol status' it says moblock is running, and also shows an increasing number of packets going to NFQUEUE 0.

Any ideas?